jfbilodeau/jwks-client

ECC Keys in JWKS Response cause Error

tscs37 opened this issue · 8 comments

Currently if a JWKS Set contains both an RSA and a ECC key, jwks-client produces an error due to the missing e and n fields in the ECC key.

Using the #[serde(default)] tag in both fields solves the issue; as the library doesn't verify P256 keys, those will still fail but R256 keys continue to function, so it doesn't matter that the P256 key isn't a valid RSA key.

Hey Tim,

Thanks for opening the issue. Is there any chance you could provide a sample keyset (json or url) to help me look at the issue?

{
  "keys": Array[3][
    {
      "kid": "OuLjiRkq<<redacted>>",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "<<redacted>>",
      "e": "AQAB",
      "x5c": Array[1][
        "<<redacted>>"
      ],
      "x5t": "<<redacted>>",
      "x5t#S256": "<<redacted>>"
    },
    {
      "kid": "bjFH5u9T<<redacted>>",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "<<redacted>>",
      "e": "AQAB",
      "x5c": Array[1][
        "<<redacted>>"
      ],
      "x5t": "<<redacted>>",
      "x5t#S256": "<<redacted>>"
    },
    {
      "kid": "keZwNXPO<<redacted>>",
      "kty": "EC",
      "alg": "ES256",
      "use": "sig",
      "crv": "P-256",
      "x": "<<redacted>>",
      "y": "<<redacted>>"
    }
  ]
}

I do have to redact the actual key material for various reasons so sadly this won't enable you to test the verification itself. The JWKS Data is generated by Keycloak.

That's perfect Tim. Much appreciated.

Hey Tim, an updated version of jwks_client should be available in crate.io (0.1.8). If you could test and let me know if that fixes the error for you that would be greatly appreciated. Thanks again for your help.

Thanks, I won't be able to test the code until early January since we are closed over christmas but I appreciate the quick fix!

Thank. I'm make the issue as closed, but feel free to re-open should there be a problem. Have a great holiday!

Hi, just a closing remark; I was able to test the patch and it works like a charm! Thank you very much!

Thank you for helping me improve jwks-client!